2/5/2011

So, I was testing a (closed source) single-player offline game recently and thought this exercise might be fun to document. I didn’t want to spend any time actually earning in-game money since I’d played it before and I wanted to just skip ahead to other aspects of the game. I was curious how straight-forward adjusting my cash might be. So, noting the in-game “bank account number” of 219393 and account balance of 3000, I dived right in.

First up, what’s the memory layout of the heap look like? I looked at the brk and the mmap regions without a mapped library or file, marked with “w” in the permissions column, from /proc/PID/maps:

In that second hit, I see the value 0xBB8, which is 3000, and matches our account balance. Let’s see what happens if we just change both of those to add a bit a few orders of magnitude above the current value…

8/12/2010

Dan Rosenberg pointed me to a paper from the 2010 WOOT conference that mentions my work to implement the CryptProtect function in Wine. Their research is awesome, and it was fun to compare my attempts at identifying the blob structure to what they discovered. Looks like I got the structure pretty well, but that was easy; they totally broke the encryption itself. Now those native blobs can be decrypted, opening the door to full NTFS interoperability, offline forensics of Windows encrypted files, etc. (For designers of future symmetric encryption methods: please don’t store the keys (in any form) on disk with the cipher text…)

What I found most alarming about this is a comparison to eCryptfs, and how it is implemented with the user’s login passphrase. In both cases, a hash of the passphrase is used to perform additional work that results in keying the final encryption. In eCryptfs, this hash is calculated to unlock the main key that is used for eCryptfs and is then thrown away (it can always be regenerated when the user logs in). If the user changes their passphrase, they must decrypt and re-encrypt the eCryptfs key (this is done automatically by PAM). Under Windows, to deal with potential user login passphrase changes, they instead decided to store all prior (SHA1) hashes of the user’s passphrases, even lacking a salt. So all the clear-text user login passphrases are recoverable with a standard rainbow table, in parallel. O_o

2/13/2009

I first played World of Goo on the Wii. I loved it. Great stuff, reminded me a little of Lemmings, but way way better. Today I found out it’s also available for Linux, and I immediately downloaded it. I was pleased to see a .deb available and thought I’d dig into the binary a little to see how it was put together.

I’m hugely excited to see that it looks like the game was built on Ubuntu Intrepid for both the .deb and .tar.gz packages:

What I’m so very excited about is that third party software producers are using Ubuntu for their releases. This means they get all the security and code-quality improvements that are built into the Ubuntu compiler for free:

All this said, it may be that they’re actually only compiling pieces (like the Open Dynamics Engine, which seems to contain the bulk of the *_chk calls) on Ubuntu (or using .a files from a distro-compiled library that enables hardening only in builds — RedHat, SuSE), but doing the .deb and .tar.gz project linking on Ubuntu (which is why the compiler name shows up in the resulting binary). The RPM shows the *_chk functions too — actually the disassembly is identical between deb and RPM, which would imply that only final linking was done on the native distros but compiled elsewhere. I’d love to hear more details if Maks stumbles on this blog. :)

9/15/2007

Recently I was trying to help debug a stack overflow crash in wpa_supplicant. The trouble with a stack crash is that you end up without a useful call history since the stack is left partially wrecked. The compiler code for detecting stack overflows (SSP), sets up a canary value between the local variables of the function and the stack frame. When the function exits, it tests this canary value and aborts if it doesn’t match what it is expecting. So, logically, to catch the stack overflow, gdb needs to be set up in a way to watch the canary location too. Since the canary is only valid while in the function, gdb must be set up to have a memory watch only when the function is called.

Release local stack, pop saved registers and return. Nearer the end is the call to __stack_chk_fail when the canary doesn’t match.

So, to watch the canary, we need to set up a memory watch after it as been set, and tear it down before we leave the function. Respectively, we can use addresses 0×08081964 and 0x08081a3a (in bold above):

Since I couldn’t find an easy way to track the memory watch number that was created during the first breakpoint, I just built a gdb counter, and deleted the memory watch when leaving, since I could predict gdb’s numbering (first watch will be “3″, following our breakpoints 1 and 2):

On a closer look at the source, we realize wext_get_scan_custom got inlined into the function (it was static and only called from one place, so the compiler optimized it). Further tracking in the source shows that the “16″ value passed in should actually be “8″ (the limit of the destination, not the source, buffer size).

8/7/2007

I thought last year was going to be a fluke. Somehow we managed to do it again. Team 1@stPlace won DefCon Capture the Flag for a second year in a row. If my sources are correct, this is the first repeat CTF winner at DefCon since the Ghetto Hackers. I’m honored to be on such a very talented team. I’ve only just recently recovered from getting almost no sleep for 3 days. :)

8/7/2006

I can’t believe it. We wonDefConCTF. I have no idea what to say. It just all came together this year. Great team, great contest.

And to make it even sweeter, since CTF is a “Black Badge” contest, I never have to pay to get into DefCon again! Although, at this point, I might pay several years worth of admission in exchange for lots of time to sleep. :)

1/17/2006

Today I was reminded of the NGsec security games site from a DefCon CTF team-mate. (This game was actually used as a prequal for DefCon 10, which I didn’t go to. Ken told me stories about it, though.) I burned through stages 1-9 in about 45 minutes, and then hit stage 10 and was side-tracked learning about encrypted ELF binaries.

There continues to be no useful FOSS binary analyzers for this kind of reverse engineering. gdb just doesn’t even begin to cut it: it was made for (surprise!) debugging programs built by friendly compilers, not doing forensics on decidedly unfriendly, hand-crafted binaries . If Paul Graham and Richard Hamming are to be believed:

What are the most important problems in your field?

Are you working on one of them?

Why not?

I should be writing a static binary analyzer. And a dynamic one too. GPL IDApro replacement. Yeow.

10/19/2005

I’m a little behind in my Slashdot reading, so apologies to those that saw this earlier.

The EFF cracked the nearly invisible finger-printing code produced by color printers. This system is used by most (if not all) major color printer manufacturers to report the serial number of the printer used and the date a page was printed. This system has been in place for at least 10 years. I’m horrified at this kind of privacy invasion. To quote the EFF:

“Underground democracy movements that produce political or religious pamphlets and flyers, like the Russian samizdat of the 1980s, will always need the anonymity of simple paper documents, but this technology makes it easier for governments to find dissenters,” said EFF Senior Staff Attorney Lee Tien. “Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?”

9/22/2005

Figured I should try to decompile myself. The first step would be get a full dump of my DNA base pairs as letters. Looks like that’s not going to be easy though. Even a DNA stain takes a lot of steps (and I’ll probably never be allowed to do the radioactive steps myself). The real goal here is that with current US law, I should copyright myself (I’m the first performance of the specific base pair “idea”) and possibly patent myself (my methods are a unique variation of other methods).

Obviously this doesn’t take into account my immune system or my memories, but I figure it’s a good start. At like just under 10 billion base pairs, that’s a 10GB program. I think Inkscape is only 45M or so, and that’s not even counting shared libraries.

Since I don’t really want to share my DNA with a company (I’ve got to be the first to copyright it), I wanted to find out what it would take to sequence at home. Since a sequencer is in the $100k price range, that’s not really going to happen. Talking to my NIH-employed friend techne23, she suggested a possible “cheap” way to do it would be in pieces, doing PCRs on specific SNPs, and send those out for sequencing to get back base pair letters. For example, on a gene, the red ones here are considered “interesting”. The PCR machines can be had for cheap, too.

8/29/2005

Not a lot of OSS folks seem to be interested in reverse engineering, so as a result, there isn’t anything like IDA-Pro for the OSS reverse engineer. There is a very excellent disassembling library, but it has no user interface (yet). It used to have Bastard attached, but that’s pretty out of date now. There is also Lida, but it doesn’t even compile. It was based on Bastard, but I can’t get it to work. It seems to be missing some specific version of the opcode map from Bastard.

Bastard and Lida are both static analysis tools, though. What I really want is a dynamic analyzer. I want to be able to trace the call paths during Porrasturvat’s execution, so I can more easily figure out which function is called when I click “Dismount”. That’ll help me find the Force constant. I’m worried I’m going to have to hack together some unholy Perl script to run “stepi” over and over, waiting for each “call” to take place. That. Would. Be. Very. Slow.

Anyway, I was really impressed with libdisasm, so I built an automake/autoconf setup for it. Even if they don’t want it, I like being able to do a “make install” and having the library end up in the right place. :)

8/28/2005

Three years ago, when I first saw tAAt’s Porrasturvat, I couldn’t stop playing it all day. It’s a really simple game: see how much “damage” you can score to a stick figure that you push down the stairs. It’s basically a physics simulation that tracks force and impact of a body falling down a flight of stairs. So much fun. I hope they make it skinnable. :)

At the time (2002-11-12) I had asked for source code in the hopes of helping to port it to Linux. I got an email yesterday in reply to my request. This sets the record for the longest reply-time on a email, ever. :) Jetro was letting me know it was available for Linux now, so I immediately downloaded it and started playing again. This version is much more stable and lacks any scoring glitches (that I’ve been able to find), so it’s a real challenge to get a high score.

Even in the original game, I had wanted to push the figure backwards off the stairs to see what kind of damage would be done just from having him fall straight down. This time, I’m determined to practice some binary analysis skills and locate the place in memory where the “Force” value is kept so I can tweak it. So far so good, I’ve been able to locate the damage accumulators for the various body parts. Now it’s a matter of just tracing the changes back through the execution paths. Here’s my million-point game:

I was able to get my hands on a CVS camcorder this past week. The unit is very cool. It doesn’t have any features of a “real” video camera, but I view it like a super-version of my Digital camera which can take 15 seconds worth of video at a time. This one is only limited by available storage (about 20 minutes). The resolution can be turned up to 640×480, too.

Initially I couldn’t get a cable built for it. I had a spare USB cable and a spare Palm Pilot cable to merge, but after soldering it all together, the device wouldn’t take an address (but my laptop noticed it was getting plugged in). After a hint from Linus (“plug-ins are detected via power-draw, everything else is over the data lines”), I realized that perhaps the USB data wires were reversed (the cable has got to flip them on at least one end of the cable… I just got unlucky).

The software for downloading the videos had been ported to Linux, and I worked on some more code to have a one-shot ability to download all the videos from the camera. Now I’ve got autoconf/automake working for it, and have gotten myself added to the Saturn Tools project where we can all work on the code through SourceForge’s CVS. Much easier than endlessly trading patches. :)

So far, I’ve managed to wreck the splash-screen image during camera bootup. Something is busted with the usb_bulk_write calls, and the device stops taking writes after 4k worth of data. Hopefully I can get that repaired so I can be greeted by the Laughing Man. I’ve also got a JPG all ready to replace the logo screen, “powered by pure digital technology”, with my oh-so-clever “powered by pwnd digital technology”.

7/13/2005

Damn. I just thought up another piece of software (that I’m capable of writing) that I can’t find. This is bad; it means it’s going to haunt me until I code it.

So, frequently, I’m faced with streams of bytes of unknown origin/purpose. (For example, the .TiVo file format, RTMP streams, and most recently, Outlook “NK2″ address autocompletion cache files.) I’ve had experience finding patterns, but it’s always so time-consuming. Usually I’m compiling some little C program over and over, slowly tweaking some guessed-at structure. This is basically the advice I got from Andrew Tridgell when I asked how he went about reverse engineering protocols. His methods deal more with sending/receiving, so it’s much more interactive. Most of what I’ve mucked with are just unknown file formats.

What I want is a nice GUI tool that will let me specify a language to describe a data file’s contents. I can see lots of meta-specifications like “repeat this structure until EOF”, and “if byte 5 is 1, read X bytes, otherwise, read X+50 bytes”, etc. Most data formats have pretty simple layouts after you figure them out. As you create the structure for the data to fit into, you can see the data from your example file displayed live. This way you can quickly tweak lengths, offsets, encoding types, endianness, etc, without needing to totally recompile your test harness.

Hell, it could even spit out the C code to process it, too. :)

I’m thinking about using Gtk and Python. We’ll see how rapid that path is for developing a nice GUI. I’ve heard good things. :)

2/25/2005

After I found some details on the .tivo file format, and cooked up some code to produce the same output. So far, there isn’t a lot of detail. It’s mostly just strange stuff. mpegcat finds the MPEG2 stream right where it should be, but supposedly the non-I-frames appear to be encoded.

All the files I’ve downloaded from my TiVo have the same “fingerprint” listed in the XML header, and a different “salt”. The interface for downloading recordings is very simple. Connect to https://[tivo IP]/ and it’ll prompt you for your username and password, which is “tivo” and your “Media Access Key”. After that, you’re all set; browse away. Download speed is rather slow: 500kB/s. Better than 2400 baud. :)

2/16/2005

Well, I got annoyed that I couldn’t watch the SWF-based HitchHiker’s trailer on the Amazon.com main page. swf_play failed miserably. Most of the crap Apple pulls for their movie trailer stream-hiding is simple enough to work around. Generally I just keep downloading the MOVs, running strings on them until I find the actual MOV with the movie trailer in it, but Amazon’s wasn’t so easy. I found the base URL to the video easily enough in the XML parameters file. The hard part was figuring out what the hell “rtmp” is. mplayer didn’t recognize it, and after a quick nmap of the media server, I just got more confused. nmap listed a port 1935 called “rmtp”. Digging around a little it became very obvious that nmap’s services entry was just a typo. So I sent in a quick patch, and Fyodor accepted it within minutes. Pretty cool.

Anyway, on to the protocol dissection. I set up tcpdump to record everything sent to fcs.amazon.speedera.net, and took a look at it in Ethereal. Seeing that it was mostly binary, I looked around for something that would dump the data portion of a packet stream, but ended up empty handed. I’ve repeatedly wanted this, so I finally broke down and read up on coding with libpcap. It’s easy enough to use, but I floundered with the packet headers for a while. Eventually I managed to find the data portion of the packets, and was able to dump the client stream and the server stream separately. I wish there was a button on Ethereal’s “Follow TCP Stream” window that would just let me save the data. My tool doesn’t at all track sequence numbers or retransmissions, etc, so I worry that in some situations I won’t get a “true” stream dump. I suspect Ethereal handles that correctly, but I couldn’t tell you for sure.

After looking at this protocol dump, it seems like it ends up turning into some kind of SOAP-like communication, with function call literals like getStreamLength, createStream, play, and closeStream. There’s even a _result variable mentioned. The Flash coding docs I’ve found that talk about stream display don’t seem to mention this stuff at all, but maybe I didn’t dig far enough.

Since RTMP appears to be capable of streams, etc, I think the next step is to figure out how it reacts to things like “Pause” and “Stop” during playback. Clearly there is a stream-identification system in the headers, and there must be stream length indicators. I’m so annoyed that there is absolutely no discussion of RTMP anyway. I should go look at the swf_play source before I go much further.